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Iterative imperative programs can be considered as infinite-state systems computing over possibly 
unbounded domains. Studying reachability in these systems is challenging as it requires to deal with 
an infinite number of states with standard backward or forward exploration strategies. An approach 
that we call Constraint-based reachability, is proposed to address reachability problems by exploring 
program states using a constraint model of the whole program. The keypoint of the approach is to 
interpret imperative constructions such as conditionals, loops, array and memory manipulations with 
the fundamental notion of constraint over a computational domain. By combining constraint filter- 
ing and abstraction techniques. Constraint-based reachability is able to solve reachability problems 
which are usually outside the scope of backward or forward exploration strategies. This paper pro- 
poses an interpretation of classical filtering consistencies used in Constraint Programming as abstract 
domain computations, and shows how this approach can be used to produce a constraint solver that 
efficiently generates solutions for reachability problems that are unsolvable by other approaches. 



1 Introduction 

Modem automated program verification can be seen as tlie convergence of three distinct approaches, 
namely Software Testing, Model-Checking and Program Proving. Even if the general verification prob- 
lems are often undecidable, investigations on these approaches have delivered the most efficient au- 
tomated techniques to show that a given property is satisifed or not by all the reachable states of an 
infinite-state system. 

Several authors have advocated the usage of constraints to represent an infinite set of states and 
the usage of constraint solvers to efficiently address reachability problems ||6]|T3]|l6l|4]. In automated 
program verification problems, the goal is to find a state of the program which violates a given safety 
property, i.e., an unsafe state. Two distinct strategies have been investigated to explore programs with 
constraints, namely the forward analysis and the backward analysis strategies. In forward analysis, a 
set of reachable states is explored by computing the transition from the initial states of a program to the 
next states in forward way. If an unsafe state is detected to belong to the set of reachable states during 
this exploration then a property violation is reported. In backward analysis, states are computed from 
an hypotetical unsafe state in a backward way with the hope to discover that one of those is actually 
an initial state. One advantage of backward analysis over forward analysis is its usage of the targeted 
unsafe state to refine the state search space. However, both strategies are quite powerful and have been 
implemented into several software model checkers based on constraint solving |[25l [T6l and automated 
test case generators |i29] HU [17] |8] |3j| . 

In this paper, we present an integrated constraint-based strategy that can benefit from the strengths 
of both forward and backward analysis. The keypoint of the approach, that we have called Constraint- 
Based Reachability (CBR), is to interpret imperative constructions such as conditionals, loops, array and 
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memory manipulations with the fundamental notion of constraint over a computational domain. By com- 
bining constraint filtering and abstraction techniques, CBR is able to solve reachability problems which 
are usually outside the scope of backward or forward exploration strategies. A main difference is that 
CBR does not sequentially explore the execution paths of the program ; the exploration is driven by the 
constraint solver which picks-up the constraint to explore depending on the priorities that are attached to 
them. It is worth noticing that applying CBR to program exploration results in a semi-correct procedure 
only, meaning that there is no termination guarantee. CBR has been mainly applied in automatic test data 
generation for iterative programs ll2T1 l22l . programs that manipulate pointers towards named locations 
of the memory ll23l l24l . programs on dynamic data structures and anonymous locations Q, programs 
containing floating-point computations ||5l. A major improvement of the approach was brought by the 
usage of Abstract Interpretation techniques to enrich the filtering capabilities of the constraints used to 
represent conditionals and loops |[T4][T5l . This approach permitted us to build efficient test data generator 
tools for a subset of C ifTOl and Java Bytecode JH. 

The first contribution of this paper is the interpretation of classical filtering consistencies notions in 
terms of abstract domain computations. Constraint filtering is the main approach behind the processing of 
constraints in a finite domains constraint solver. We show in general the existence of tight links between 
classical filtering techniques and abstract domain computations that were not pointed out elsewhere. We 
also give the definition of a new consistency filtering inspired from the Polyhedral abstract domain, as 
consequence of these links. 

The second contribution is the description of a special constraint handling any iterative construc- 
tion. The constraint w captures iterative reasoning in a constraint solver and as such, is able to deduce 
information which is outside the scope of any pure forward or backward abstract analyzer. Its filtering 
capabilities combines both constraint reasoning and abstract domain computations in order to propagate 
informations to the rest of the constraint system. In this paper, we focus on the theoretical foundations 
of the constraints, while giving examples of its usage for test case generation over iterative programs. 

Outline of the paper. The rest of the paper is organized as follows. Sec. 2 introduces the necessary 
background in Abstract Interpretation to understand the contributions of the paper. Sec. 3 establishes 
the link between classical constraint filtering and abstract domain computations. Sec.4 describes the 
theoretical foundation of the w constraint for handling iterative constructions while Sec. 5 concludes the 
paper. 

2 Background 

Abstract Interpretation (AI) is a theoretical framework introduced by Cousot and Cousot in lITOl to manip- 
ulate abstractions of program states. An abstraction can be used to simplify program analysis problems 
otherwise not computable in realistic time, to manageable problems more easily solvable. Instead of 
working on the concrete semantics of a programQ, AI computes results over an abstract semantics allow- 
ing so to produce over-approximating properties of the concrete semantics. In the following we introduce 
the basic notions required to understand AI. 

Definition 1 (Partially ordered set (poset)) Let Qbe a partial order law, then the pair C) is called 
a poset iff 

\/x ^ !^,x Qx (reflexive) 
yx,y G S^,x Qy Ay Qx =^ x=y (anti-symmetry) 
yx,y,z G &,x Q y Ay Q z =^ xQz (transitive) 



Program semantics captures formally all the possible behaviours of a program. 
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Definition 2 (Complete lattice) A complete lattice is a 4-tuple EjUifl) ^^^^^ ^^'^^ 

• E) '■^ a; poset 

• LI fl' upper bound: \/y C we /jave 



• PI '■^ lower bound: Vo5^ C Q!, we have 

Complete lattices have a single smallest element ± = H ^ and a single greatest element T = |J ^. 
Program semantics can usually be expressed as the least fix point of a monotonic and continuous function. 
A function / from a complete lattice E,U)n) ^'^ itself is monotonic iff V/1,/2 ^ E h =^ 
fih) E fih). It is continuous iff C ^,/(U^) = Ue.y (/(^)) and /(H^) = 
The following Theorem guarantees the existence of the fix points of a monotonic function. 

Theorem 1 (Knaster-Tarski) In a complete lattice for all monotonic functions 

f:&^&, 

• the least fix point of f (i.e., lfp{f)) exists and lfp{f) = \~\{x \ f{x) C jc} 

• the greatest fix point of f (i.e., gfp{f)) exists and gfp{f) = \_\{x \ f(x) C x} 

In addition, when the functions are continuous, these fix points can be computed using an algorithm 
derived from the following theorem: 

Theorem 2 (Kleene) In a complete lattice (i^, EjUifl)' f*^^ monotonic and continuous functions 
f : S> Si, the least fix point of f is equal to []{/"(-'-) j n G N} and the greatest fix point of f is equal 
to n{/"(T) I « e N} 

As ±,/(±), . . . . . . is an increasing suite, we get U{/"(-L) \ n<k] = f^{l-). Hence, lfp(/) = 

lim<:^+c„/(±) and gfp(/) = limi.^+„o/(T). 

For reaching the least fix point of a monotonic and continuous function in a complete lattice, it suffices 
to iterate / from _L until a fix point is reached. 

Let EjUifl) be a complete lattice called the concrete lattice and / a function that defines some 
concrete semantics over this lattice, let (^'', E*) be a poset called the abstract poset, and f^:Si^^ 
be a continuous function, then Abstract Interpretation aims at computing a fix point of f^ in order to 
over-approximate the computation performed by /. 

Depending on whether the abstract poset is a complete lattice or not, we have distinct theoretical results 
regarding the abstraction. Proofs of the following theorems can be found in ifTTll . 



Galois connection When the abstract poset is a complete lattice, the notion of Galois connection is 
available to link the abstract computations with the concrete lattice. 

Definitions (Galois connection) Let ■,'^,\_\-,V\) '^^d E^U^fl*) two complete lattices, then 
a pair of functions a : ^ — )• i^* and y. 'Si^ ^ Si is a Galois connection iffMx ^ Sl.My ^ i^*,a(x) izf 
y X Q yiy) noted: 
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Figure 1 : Static approximations of fixed point computations in complete lattices 

(^,E,u,n)^(^*,E«,u*,n") 

a 

Next definition establishes the correction property of an analysis. 

Definition 4 (Sound approximation) Let ^ (^*, E", fl*) Galois connection, then 

a 

a function : — )• is a sound approximation of f : S! ^ iff 

VyG #,707(3;) □70/(3;) 
Consquently, we have the following notion: 

Theorem 3 (Smallest sound approximation) Let (^, Ui fl) ^ U*) fl'') Galois connec- 

a 

tion, and a function f : S> ^ 3), then the smallest sound approximation of f is aof oy 

This theorem implies that any function greater than a o / o 7 is a sound approximation of / and the 
following theorem characterizes the results of fixpoint computations: 

Theorem 4 (Fixpoint computations with sound approximation) Let ^ E^U* 

a 

be a Galois connection, let f^ \ Ql'^ ^ Qi^ and f : & ^ & be two monotonic functions such that f^ is a 
sound approximation of f, then, we have: 

Ifpif) E y{lfp{f^)) and 
gfp{f) E 7(s^(/»)) 

Intuitively, this theorem gives a process to compute an over-approximation by Abstract Interpretation, as 
shown in Fig[T] The left part shows the concrete lattice where the concrete computation of / is performed 
starting from initial state Sq. The right part shows the abstract lattice that is used to over-approximate the 
computation. This computation is undertaken in three steps: 
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• initial state abstraction; 

• fixpoint computation in tlie abstract lattice; 

• result concretization. 

Without Galois connection When the abstract lattice is not complete, there does not exist necessarily 
a best abstraction for all elements of the concrete lattice. The notion of Galois connection is no more 
available and the abstract lattice is just linked with the concrete lattice through a monotonic function 
7 : — )• The definition of sound approximation needs to be adapted: 

Definition 5 (Sound approximation witiiout a Galois connection) Let (i^, □) and (i^*, E") be two posets, 
let y : Si^ ^ S! be a monotonic function and f : Qi ^ Qi a function, then the function f'^:3i^^ Si^ is a 
sound approximation of f iff 

'ixe&\foy{x)\Zyof\x) 

In such an (not complete) abstract lattice, nothing guarantees the existence of the least fix point: lfp(/) 
is not necessarily approximated by lfp(/*). However, any fix point of can be used: 

Theorem 5 Let U, fl) « complete lattice, and be a poset, let y : Si^ ^ S!, f : & ^ Si 

and f'^'.S'^^ S)"^ be three monotonic functions then if f'^ is a sound approximation of f, then we have: 

VxG#,/«(^)=^ =^ lfp{f)Qy{x) 

Next theorem is useful to compute an over-approximation of gfp(/) when the lattice is not complete: 

Theorem 6 Let {S,Q,\_\,\~\) be a complete lattice, let {S^,Q'^) be a poset with a greatest element T 

and let y : ^ S, f : S ^ S and : — )• be three monotonic functions, then 

if f^ is a sound approximation of f and a is an element of S^ such that there exists k such as a= f^ (T), 

then 

gfpif) E y{a) 

Consequently, when the abstract lattice is not complete, instead of abstracting the initial state, one selects 
an element of the abstract lattice that over-approximates the initial state. And, a fix point is computed 
in the abstract lattice from this element. The fix point is still an over-approximation of the concrete 
semantics. 

2.1 Examples of abstract domains 

In this section, we briefly describe two abstract domains: the Interval |[T2l and the Polyhedral lITTI 
domains. 

2.1.1 The Interval abstract domain 

Interval analysis aims at approximating a set of values by an interval of possible values. If = 
{[a,b] [ € NU {— °°,+°°}}, then the Interval abstract domain is the Cartesian product x ... x 
equipped with inclusion, union and intersection over intervals. This abstract domain is a complete lattice. 
State abstraction is performed by computing an interval that over-approximates the set of possible values 
for each variable. If the concrete state is an unbounded set of tuples {{xi\, . . . ,x„i), (xi2, . . . ,x„2), • • •} 
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then: 



a({(xn , . . . ,Xnl),{xi2,- ■ ■ ,Xn2),- • •}) = ([nil, Mi],. ■ ■ , [mn,Mn]) 

( m/«,(x;,) if it exists f max if it exists 

with Mi = < ■'\ ■'^ and Mi = < ■'^ 

1^ — oo else [ +00 else 

The concretization of an abstract state is obtained by computing the Cartesian product of the intervals. 
These functions define a Galois connection between the concrete domain and the abstract domain of 
intervals. 

The approximation of transfert functions is realized by using their structure and classical results from 
Interval Analysis ||27l . For example, functions [x < y] and [x = 3^ + 2] are abstracted by the follow- 
ing (sound) approximations: [x <y]^ : {[a,b],[c,d]) {[a,min{b,d)],[max{a,c),d])) and [x = y + zf ■ 

{[a,b],[c,d],[e,f])^{[c + e,d + f]n^a,b],[a-f,e-b] nHc,d],[a - d,c - b]nHe,f]). 



2.1.2 The Polyhedral abstract domain 

In Polyhedral analyses, each concrete state is abstr acted by a conjunction of linear constr aints that defines 
a convex polyhedron. Indeed, a convex polyhedron is a region of an n-dimensional space that is bounded 
by a finite set of hyperplanes x G R"\ax > c where a G R" and c ^ R. The abstract lattice equiped with 
inclusion, convex hulo and intersection of polyhedra is not a complete lattice as there is no upper bound 
to the convex union of all the convex polyhedra that can be written in a circle. 
Abstract functions can be defined to deal with polyhedra. For example: 

[x>yH{z<x + y}) = {z<x + y,y<x} (1) 
[x>y]\{x<y}) = {0 = 1} (2) 
[x = j*z]*({l <};< 10}) = {x<z,x<10*z} (3) 

If the expression is a linear condition, then it is just added to the polyhedron (case [T]l. If the expres- 
sion is contradictory with the current polyhedron, then it is reduced to 1 = meaning that there is no 
abstract (and concrete) state in the approximation (case|2]l. If the expression is non-linear, then a linear 
approximation is derived when available and added to the polyhedron (case|3]l. 



3 Filtering consistencies as abstract domain computations 

As noticed by Apt HI, constraint propagation algorithms can be seen as instances of algorithms that 
deal with chaotic iteration. In this context, chaotic means fair application of propagators until saturation. 
In this section, we elaborate on a bridge between two unrelated notions: filtering consistencies and 
abstract domains. In particular, we show that arc- and bound- consistency are instances of chaotic 
iterations over two distinct abstract domains. Classical AI notions of sound approximation and abstract 
domain computations, not used in [Tl, allows to show that filtering consistencies compute sound over- 
approximations of the solutions set of a constraint system. Thanks to the bridge, we also propose new 
filtering consistency algorithms based on the polyhedral abstract domain. 



^The union of two polyhedra is not a polyliedron, tiiis is thie reason wliy convex hiull or any relaxation of it must be employed. 
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3.1 Notations 

Let Z be the set of integers and ^ be a finite set of integer variables, where each variable x in 1^ is 
associated with a finite domain D(x). The domain ^ is the Cartesian product of each variable do- 
main: D{x\) X ... X D{x,„) and denotes the powerset of inf^x and supcjx denote respectivelly 
the inferior and the superior bounds of D{x) in S^. A constraint c is a relation between variables of Y . 
The language of (elementary) constraints is built over arithmetical operators {+,—,*, ...} and relational 
operators {<,<,>,>, =,7^,...} but any relation over a subset of Y can be considered. Let vars{c) be 
the function that returns the variables of y appearing in a constraint c. A valuation a is a mapping of 
variables to values, noted {x\ ^ d\,...,Xn ^ dn}- CS denotes a constraint system CS, i.e., a finite set of 
constraints. 

3.2 Exact filtering 

Let {ci, ..,c,„} be a CS over {xi,..,Xn} and let ^ = D{xi) x .. x D(x„), then the solution-set of CS is an 
element of ^(^), noted sol{CS). 

The exact filtering operator of a constraint c,- is computed with the function /,■ : ^(^) — )• ^{S)) which 
maps an element 5 G ^(^) to = | 5 € 5 Ac,(i')}. The exact filtering operator of c\ removes all 
the tuples of '3 that violate c,. Hence, by using an iterating procedure, it permits to compute sol(CS\. if 
fc = fy° ■ ■ ■ °fm then sol{C) = gfp(/c)- By noticing that fc is continuous (as each ft is continuous) and 
monotonic and thanks to Theorem|2]we get sol{CS) = limk^^oo fc'^ ■ 

Example 1 Consider CS = {x ^ y,y ^ z,z 7^ x} where x G l..2,y G 1..2,z G 1..2. The exact filtering 
operator associated with x ^ y will remove the tuples (1,1, 1), (1, 1,2), (2,2, 1), (2,2,2) from {1,2} x 
{1,2} X {1,2}. Iterating over all the constraints ofCS will eventually exhibit the inconsistency of this 
example. 

In fact, this shows that exact filtering of a CS over D(xi) x .. x D(x„) can be reached if one computes over 
a complete lattice built over the set of possible valuations: {,0^{D{x\) x .. x D(x„)), C,|J,p|). This lattice 
will be called the concrete lattice in the rest of the paper. Of course, computing over the concrete lattice 
is usually unreasonable, as it requires to examine every tuple of the Cartesian product D(xi) x .. x D(x„) 
w.r.t. consistency of each constraint. 

3.3 Domain-consistency filtering 

For binary constraint systems, the most successful local consistency filtering is arc-consistency, which 
ensures that every value in the domain of one variable has a support in the domain of the other vari- 
able. The standard extension of arc-consistency for constraints of more than two variables is domain- 
consistency (also called hyper-arc consistency [26]). Roughly speaking, the abstraction that underpins 
domain-consistency filtering aims at considering each variable domain separately, instead of considering 
the Cartesian product of each individual domain. More formally, 

Definition 6 (Domain-consistency) A domain Si is domain-consistent for a constraint c where vars{c) = 
{xi, ..,x,i} iff for each variable x,, \<i<n and for each di G D(x,) there exist integers dj with dj G D{xj), 
1 ^ j ^ n, j ^ i such that o = {x\ 1— ?> d\ , ..,x„ ^ d^} is an integer solution of c. 

Consider the domains S = D{x\) x .. x D(x„) and slrc = ^{D{xi)) x . . . x ^(D(x„)) and the abstrac- 
tion function : ^{S) Sl\rc which maps S G ^(^) to 

aarc(5) = ({Xi I X G 5}, . . . , {x„ | X G 5}) 
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The concretization function is a function jarc '■ ^arc — )• ^(^) such that 

Yarc{{Si,...,Sn))=Si X . . . X S„ 

If ULc ^^'^ \~tarc denote respectivelly the inclusion, union and intersection of two tuples of sets, 
then we got the following Galois connection: 

(^(^),c,u,n) S (^L,EL,uL,nL) 

The proof follows comes the monotonicity of the projection and Cartesian product. From Theorem |3] we 
get: 

Definition 7 The best sound approximation of the exact filtering operator fi is 

A def ^ 
JiMrc = (^arcOfiOjarc 

Theorem 7 Let p be a filtering operator associated with constraint c,-, then p computes domain-consistency 

WP=fLrc- 

This theorem implies that domain-consistency is the strongest property that can be guaranteed by a 
filtering operator using the abstraction aarc- A proof is given in the Appendix of the paper. 
Let us consider now the function fare such that fare = fi^rc ° - ■ ■ °fn-arc- As fare is a sound approximation 
of fc then 

.oZ(C)=gfp(/c)C7,,,(gfp(/Jj) 

This result shows if necessary that constraint propagation over domain-consistency filtering operators 
computes an over-approximation of the solution set of C. 

3.4 Bound-consistency filtering 

Following the same scheme, AI can be used to show the abstraction that underpins constraint propagation 
with bound-consistency filtering (also called interval-consistency). But, firstly, let us recall the definition 
of bound-consistency we consider in this paper, as several definitions exist in the literature |i9J : 

Definition 8 (Bound-consistency) A domain QJ is bound-consistent for a constraint c where vars{c) = 
{xi,..,Xn} iff for each variable x,-, \ <i <n and for each dj E {inf^Xi,supci^Xi} there exist integers dj 
with inf^Xj < dj < sup^xj, 1 < j < n,j i such that o = {x\ i— > d\ ,..,x„ i— > <i„} is an integer solution 
ofc. 

Roughly speaking, this approximation considers only the bounds of the domain of each variable and 
approximates each domain with an interval. Let J^{S) = [min{S) ,max{S)\ be the smallest interval that 
contains all the elements of a finite set of integers S. Similarly, J^^^(/) denotes the set of integers of an 
interval / : J^-\[a,b]) = {x G Z \ a < x < b}. 

The abstract domain we consider for bound-consistency is = J^{^{D{xi))) x . . . x J^(^(D(x„))). 

Given a tuple of sets {Si,...,Sn) and a tuple of intervals (/i, ...,/„), we consider the functions ainter and 
Yinter such that: 



(^interi^li ■ ■ • T^n) — ("^l)) • • • 7^ i^n)) 
YMer{h,.--Q = {^'\h),---,^'HQ) 
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Let abound -.^i^)^ 

^bound abstraction function such that 

(Abound ~ C^inter ^ O^arc 

and Yhound '■ ^lound ^ <^(^) be a concretization function such that 

Ybound — "fare ° "finter 

If ELiHid' \-^bound ^'^^ FlLund respectively denote inclusion, union and intersection of intervals (compo- 
nent by component) then we get the following Galois connection: 

^^bound ' Abound ' LI/joM/if/ ' I l/?ownj) 

ff bound most accuratc sound approximation of /,-, then we get: 

fi_hound ~ Abound '-' fi Ybound 
= (Winter ° fi_arc ° Yinter 

Theorem 8 If p is a filtering operator associated to constraint Ci, then p computes bound-consistency 

iff P = fijbound- 

This theorem, proved in Appendix, implies that bound-consistency is the strongest property that can be 
reached with an operator based on the abound abstraction. 

Consider now the function such that = /f_^^,„„^ o . . . o/j_^^^^^^^. As fl^^^^ is a sound approxi- 

mation of fc, then 

50/(C) =gfp(/c) C Yboundig^Viflound)) 

This result shows if necessary that constraint propagation based on bound-consistency computes a sound 
over-approximation of the solution set of C. In addition, as is also a sound over-approximation of 

fire, then 

YarMviflrc)) ^ Ybound (gfpiflund)) 

meaning that filtering with bound-consistency provides an over-approximation of the results given by a 
filtering with domain-consistency. 

3.5 New filtering consistencies based on abstract domains 

In the previous section, classical filtering consistencies are interpreted in terms of abstract domain com- 
putations. In this section, we propose a new filtering consistency based on the Polyhedral abstract domain 

m. 

3.5.1 Linear relaxations 

When non-linear constraints are involved in a constraint store, approximating them with linear cons- 
traints is natural in order to benefit from powerful Linear Programming techniques. These techniques 
can be used to check the satisfiability of the constraint store when the approximation is sound. If the 
approximate constraint system is unsatisfiable so is the non-linear constraint system. But, in the context 
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of optimization problems, the approximation can also be used to prune current bounds of the function to 
optimize. 

Another form of approximation comes from the domain in which the computation occurs. A linear 
problem over integers can be relaxed in the domain of rationals or reals and solved within this domain. 
As the set of integers belongs to the rationals and reals, an integer solution of the relaxed problem is also 
a solution of the original integer problem, but the converse is false. In this paper, we will consider both 
kinds of approximations under the generic term of "linear relaxations". 

Computing a linear relaxation of a constraint system CS aims at finding a set of linear constraints 
that characterizes an over-approximation of the solution set of CS. It is not unique but for trivial reasons, 
we are more interested in the tighter possible relaxations. The tightest linear relaxation is the convex 
hull of the solution set of CS but computing this relaxation is as hard as solving CS. For CS over finite 
domains, the problem is therefore NPJiard. Whenever a relaxation is computed by using the current 
bounds of variable domains, it is called dynamic and the consistencies presented in the rest of the section 
are compatible with dynamic linear relaxations. 



3.5.2 Polyhedral-consistency filtering 

Let Poly be the abstract domain of closed convex polyhedra with rational coefficients. As said previously. 
Poly is not a complete lattice, and then we cannot define a Galois connection between Poly and the lattice 
of the solutions. Nevertheless, the concretization function Ypoiy : Poly — )• can be defined as the 

function that returns the integer points of a given polyhedron: 

7p,,,(5«) = int_sol(5«) 

Here, int_sol stands for the whole set of integer solutions of a set of linear constraints As S^ is bounded, 
YpoiyiS^) is finite. 

Without a Galois connection, we do not expect the polyhedral-consistency proposed in this section 
to be optimal w.r.t. the abstract domain. Hence, we only show that the filtering algorithm that computes 
this consistency is a sound approximation of the exact filtering operator. 

Definition 9 Let a^ox be the following abstraction function 

OCbox ■ ^lound ~^ ^^^y ^^^^ ^^"^ 

aboxiiiaubi], . ■ . ,[am,bm])) = {ai <xi< bi,...,a,„ < < bm} 
and the concretization function jhox '■ Poly — > 



YboxiP) 



( [ \min (xi , P)l , [max{xi , P) J ],..., [ \min {x,„ , P)] , [max(x„, , P) J ] ) 

if\/i, \min{xi,Py\ < [max(x,-,P)J 
otherwise 



where [x\ (resp. \x~\) stands for the next smallest (resp. largest) integer of x, and min{v,P) ( resp. 
max{v,P)) computes the smallest (resp. largest) value of v corresponding to a point of P. 
Both atox and jhox link the polyhedral abstract domain with the interval abstract domain. The abstraction 
function abox niaps a set of intervals into a polyhedron by adding two inequalities per variable, while 
the concretization function 7/,ojc maps a polyhedron into a set of intervals by computing first the smallest 
hypercuboid containing the polyhedron and second the greatest hypercuboid with integer bounds. The 
behaviour of these two functions is illustrated in Fig. |2] 
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Figure 2: Connection between the Polyhedral and Interval abstract domains 

Definition 10 (Polyhedral-consistency) A domain is polyhedral-consistent for a constraint c where 
vars{c) = {x\,..,Xn} iff far each variable xi, I <i <n and far each di G {inf^Xi^sup^xi} there exist 
rationals rj with infyxj < rj < sup^xj, I < j <n,j isuch that c = {xi ri, ..,x„ r„} is a (rational) 
solution of a linear relaxation ofc. 

The rationale behind this definition is to benefit from efficient polyhedral techniques over the rationals 
to filter the variation domain of variables. Of course, interesting implementations of this filtering consis- 
tency should trade between efficiency and precision as integer linear constraint solving is costly (NPJiard 
problem) even for bounded domains. It is worth noticing that the definition depends on the quaUty of 
the underlying linear relaxation. On the one hand, a linear relaxation which over-approximate c by True 
(the whole search space) is useless while on the other hand a linear relaxation which exploits piecewise 
over-approximations of c is often too costly. We give examples of polyhedral-consistency filtering in 
function of various linear relaxations. 

Example 2 Consider the following CS: z = x+y,z = x*y, let c be the second constraint ofCS: c= {z = 

x*y) andlet &bex€ -l.AO,y € -7..10,z G 3. .10. 

Note that is bound-consistent for all the constraints ofCS. 

The simplest linear relaxation that can be considered is the one that ignores non-linear constraints. In 
this example, c is over-approximated by True and then 3) viewed as x> —7,x < I0,y > — 7,x < 10, z > 
3,x < 10, z =x-'i-y is then polyhedral-consistant w.r.t. this linear relaxation. Note that this approach can 
be generalized by associating a new fresh variable to the non-linear termx*y with a domain computed 
using the bounds x and y. In this example, this does not help but it could help on other examples. 
Another linear relaxation consists in building a polyhedron from the "bounds" of x*y in 3 = x E 
— 7..10,y G — 7..10,z G 3. .10. By considering the 2-dimensional polyhedron 
{(1, 10), (10, 1), (—1, —7), (—7, —1)} we get that a linear relaxation ofc in domain 3 is 
ll;c-8y + 69 >0 
-x-y+n >0 
-8x-Mly-F69 >0 
x + y + 8 >0 

Filtering with the polyhedral-consistency, we get that x G — 2..9,>' G — 2..9,z G 3. .10 where D{x) and 
D{y) have been pruned. These results can be easily computed using a Linear Programming tool and 
truncation operators. For example, using the clpq library ofSICStus Prolog which implements a simplex 
over the rationals, the following request permits to compute the max bound of variable x: 
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{X >= -7, X =< 10, Y >= -7, Y =< 10, Z >= 3, Z =< 10, Z = X+Y, 
11*X - 8*Y+ 69 >=0, -X - Y + 11 >= 0, -8*X + 11*Y +69 >= 0, 
X + Y + 8 >=0 } , sup (X, R) . 

R = 179/19 % then max bound of x is 9 

Finally, we can automate the computation of linear relaxations of c by considering the following 
trivial constraints, which are always true for any x and y: [x — info^x) [y — inf^y) > 
(x — sup^x) {y — inf^y) < 
{x - infcjx) {y - supsiy) < 
(x — sup^x) (y — supgy) > 



By decomposing these constraints, using the original bounds ofx,y,z and replacing the quadratic term 

x*y by z, we get: 

7x + 7y + z + 49>0 

l0x-7y-z + 70>0 

-7x+ 103^-2 + 70 >0 

-10x-10j + z+100>0 

Filtering with the polyhedral-consistency, we get that x € —2..9,y € —2..9,z S 3. .10 where D{x) and 

D{y) have been pruned. These domains are still bound-consistent but another tighter relaxation can be 

computed with these new bounds: 

2X + 2Y +Z + 4 = 

9X-27-Z+18 = 

-2X + 9Y -Z+lS = 

-9X-9Y + Z + S\=0 

and then filtering again permits to get thatx^ 0..8,3' € 0..8,z € 3..10. Here, filtering by bound-consistency 
leads to prune the domains to: x £ l..S,y £ 1..8,z G 3..10. Then, by iterating these two process, we get 
the only solution to CS which is: x € 2..2,y € 2..2,z G 4. .4. This showed how dynamic linear relaxations 
can be used to solve a non-linear CS. 



4 The w constraint operator 

In this section, we present the w constraint operator which captures iterative computations, and how it is 
processed by a constraint solver. The constraint operator has been introduced a long time ago in ||2T1|221 
and was further refined using Abstract Interpretation (AI) techniques lfT4l . In the following, we recall its 
interface and semantics and show how fixed point computations can be used to filter inconsistant values 
of the underlying relation. We also explain how the Polyhedral abstract domain is used to approximate 
the fixed point computations. 



4.1 w as a relation over memory states 

The w operator captures a relation over three memory states that represent the state before, within and 
after the execution of an iterating statement. In this paper, we do not specify what a memory state is, or 
what the iterating statement is, as the approach is generic regarding the content of a memory state and 
the concrete syntax of the iterator. However, in order to ease the understanding, the reader can consider 
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a memory state to be a mapping between variables of the program to values. More complex examples of 
memory states in relation with w can be found in |T| and (E). 

The relation w is expressed with the following syntax: w {^1,^2, ^3, Dec, Body)} where ^1 denotes 
the memory state before execution of the iteration, ^2 denotes the memory state reached at the end of 
execution of the Body, while ^3 denotes the state after execution, Dec is a boolean syntactical expres- 
sion, and Body is a list of statements. This three-states consideration is inspired by the Static Single 
Assignment of a program [28 1. If the state of is irrelevant for a given computation, we simply write 
_. Note that Body may also contain other iterators, and thus w is meant to be a compositional operator. 
The semantics of w is the semantics of an iterating statement (i.e., repetitive application of Body over an 
input state, while Dec is true). 

n 

We note w" = wow...w where o is the application composition. 

4.2 Background on w 

As described in [22], the operational semantics of w within a constraint solver is expressed as a set of 
guarded-constraints: {(Ci — > C2)i}i<i<n- If Ci is entailed by the constraint store then C2 is added to 
it, and the relation w is solved. If Ci is disentailed, then the guarded-constraint is discarded and no 
more considered in further analysis. Finally, if none of these (dis-) entailment deductions is possible, 
the guarded-constraint just suspends in the constraint store. The set of guarded-constraints is considered 
each time the constraint w awakes in the constraint store, so that it captures the essence of the iteration 
through rewriting in recursive calls. In addition, substitution of variables must be considered to faithfully 
represent the constraints in a w relation. Dec^^^^^^ simply denotes the constraint Dec where program 
variables from ^3 have been substituted by the variables from ^1 . With these notations, the w relation 
is expressed as follows: 
w{Dec, ^\ , ^2 , ^3 , Body) iff 

• Dec ^3^.^( — > Body^^^^^ A w{Dec, ^2,-y^new,-y^3,Body^^^^^^J 

• -^(Dec^j^^j) — > Jl-i = 

• -.(Dec^3^^( A Body,^^^^^ ) — )■ -.(Dec^j^^, ) A ^3 = ^1 

• ^{-^Decji^^ji.NJi'i = Jix) — > Decj(^^j(, NBody Aw(Dec,^2,-#new,-#3,-Bo<i3'.^2^^„^„) 
• join{Dec,^^^j^^ ABody,^^^^^ Aw(Dec,^2,^new,^3,-Bo<ix^2^^™)'"'(^^<^^-#3^.'#i)^-^3 =^1) 

The two former guarded-constraints implement forward analysis, by examining the entailment of Dec. 
Depending on the entailment of Dec, a recursive call to a new w is added to the constraint store. The 
two foUowings implement backward reasoning by examining the differences between the stores after 
and before execution of the iteration. Finally, the last operation, called join, is the most tricky one and 
implements union of stores in case of suspension of the operator. This join operation is realized iff none 
of the previous guarded-constraints has been solved. The rest of the Section is devoted to the presentation 
of this operator, which is implemented as an abstract operation over abstract domains. 

4.3 Concrete fixed point computation 

For a given w operator, let T be the following set: 

T = {{Jli,J{j) I 3^ I w^{J^i,J{j,., Dec, Body)} 
T represents all pairs of memory states that are in relation through the w statement, but still, not all those 
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pairs can be considered as solutions of the relation, as some pairs can only be reached in temporary states 
of the execution. For this reason, we introduce the set Z„: 

Zw = {{JiuJij) I {JiuJlj) eT A^je sol{^Dec)} 

where sol{C) denotes the set of solutions of a constraint C. 
T can be seen as the least fixed point of: 

= {{^k,^i)\{T' Aw{^k,.,^j, Dec, Body))} \jr (4) 
= {(^1,^1)} (5) 

and Zw can be computed by filtering the pairs of the fixed point. 

For instance, considering ^\ =x^ OVx 1— )• 1 Vx 1— )• 2Vx 1— )• 3 and w{^\,^2,-^?<^^ < 2,x = x+ 1), 
and using the notation (0,0) for denotating (x i-> 0,x 1— 0), the fix point computation is as follows: 

= {(0,0), (1,1), (2,2), (3,3)} 
T' = {(0,l),(l,2)}urO = {(0,0),(0,l),(l,l),(l,2),(2,2),(3,3)} 
r2 = {(0,1), (0,2), (l,2)}uri = {(0,0), (0,1), (0,2), (1,1), (1,2), (2,2), (3,3)} 

Consequently, the solutions set of w{^i,^2,-^3,x <2,x = x+l)is: 

Zh, = {{a,b) \ {a,b) eT^ A{x^ b) esol{x>2)} 
= {(0,2), (1,2), (2,2), (3,3)} 

Computing Z„ is undecidable in general as there is no termination guarantee of the iterating process. 
This is the reason why this computation is usually abstracted using abstract domain computation. 

4.4 Abstracting the fixed point computation 

Implementing the join operator mentionned above can be done by abstracting the computation of the 
fixed point within the Polyhedral abstract domain. Let be a conjunction of linear restraints, the inter- 
section of which defines a convex polyhedron, that over-approximates the set T. Hence, we can compute 
as the least fixed point of: 

P'+i = {{^,„^j) \ {P' Aapoiyiw{^k,^j,-,Dec,Body)))UP' (6) 
= {{apoiyii^u^i)) (7) 

Compared to eq. |4] and |5l the computation is realized in the abstract domain using Kpoiy the abstraction 
function of the Polyhedral abstract domain. 

Let zt be the approximation of the set of solutions of w, obtained by application of ttpo/v" 

Zl = {{JluJlj)\{JiuJlj)^P^ A J/:j G apoly {sol ( -^Dec) ) } 

Looking at the above example where ^ is just composed of the mapping of x 1-^ v, it is worth introducing 
different representations of the stores as we progress in the fixed point computation. When P' is computed 



A. GotUeb, T. Denmat, N. Lazaar 



39 



Out 




Figure 3: Exact and approximated fixed point 

over x/t and establislies a relation in between stores and that contains xj, we note: P'{xk,Xj). If 
P' is tiien considered over yk,yj, then we will simply write P'{yk,yj) and apply variable substitution. 
With these notations, we have the following computation: 

P {xjyi , Xqiii ) — Xifi ^ A Xifi ^ 3 A Xifi — Xqiii 

P^ {Xin,Xout) = {P^{xin,XQ) ^XQ<\ KXout = + l)jc,„,v„,„ U P°{xin,Xout) 

= i^in ^ A X;„ < 1 A Xgut = X,„ + 1 ) U P (;C,-„ , Xo„, ) 

— -^in ^ A Xin ^ 3 A Xout ^ X/;^ -}- 1 A Xqh^ ^ X/ij 

P^ip^ini^out) — (^H-^inj-^l) < 1 /\Xout = X\ + 1)a:„,,.Vo,„ U {^im^out) 

= (■''^iM ^ A < 3 A X;„ < X,)ut — 1 ) U (x,„ , ) 

= ^in ^ A Xjfi < 3 A X()ut ^ ^in + 2 A Xguf > X;„ A X^^; < 4 

P^ {Xin , Xout ) = (Pi {Xin , ^^2 ) A X2 < 1 A Xo„f = X2 + 1 );c,„ ,x„„, U (xi„ , Xout ) 

= (■''^iV! ^ Ax,7j < 3 AX;„ < Xout ~ 1) UP^(x,„,Xo„() 

P (X,',j , XoH( ) 

Fig. [3] illustrates the difference between the abstract fixed point and the approximate fixed point. Points 
in the figure correspond to the elements of P^, while the grey zone represents the convex polyhedron 
defined by P^. 

An approximation of the solutions of w{^\,^2,-^?,,x < 2,x = x + 1) is given by: 

Q = p3(xi,X3) AX3 > 2 

= -^3 >2Ax3 <4Axi <X3Axi <3Axi >X3 — 2 

On the Polyhedral domain, convergence of the fixed point computation over w{.'^\,^2,^?,,x < 2,x = 
x+ 1) can be enforced by using widening techniques. The computation of P'^^^ is modified in order to 
use a widening operator V lITTI . Thus, we have: 

pk+\ ^ p''[lnit,Out)V{P'' Aapoiy(w{^i,^2,^3,Dec,Body))) 

A concrete algorithm for computing this approximation is given in fT45, which permits to build imple- 
mentation of w in a constraint solver. As rooted in the Abstract Interpretation domain, the relation w 
inherits from some of its fundamental correctness results, i.e., soundness and termination. However, it is 
worth pinpointing some differences. 
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Usually, a convex abstract polyhedron denotes the set of Unear relations that hold over variables at a 
given point of a sequential program under analysis. As the goal here is to correctly approximate the set 
of solutions of a w relation, the polyhedron describes relations between input and output values and, thus, 
they involve more variables in the equations. In Abstract Interpretation, the analysis can be performed 
only once, whereas, in the case of the w relation, the join operation is launched everytime the relation 
is awaked without being succesfuU in solving one of the guarded-constraint. As a consequence, we 
found out that it was not reasonable to use standard libraries to compute over polyhedra, such as PPL ||2l, 
because they use a dual representation for Polyhedra, which is a source of exponential time computations 
for the conversion. 



4.5 Illustrative example 

Looking at an iterative computation over unbounded domains as a relation captured by a w constraint 
operator is interesting for adressing Constraint-Based Reacheability problems. On the one hand, the sus- 
pension mechanism offered by constraint reasoning allows us to cope with the approximation problem, 
i.e., the set of states that is considered is determined by the informations existing in the constraint store, 
which makes the reasoning more accurate w.r.t. the property to be demonstrated. On the other hand, 
adding abstract domain computations to the w relation allows us to increase the level of deductions that 
can be achieved at each awakening of the w constraint operator. To illustrate this remark, consider the 
following C program: 

f { int i, . . . ) { 

a. j = 10 0; 

b. while { i > 0) 

c. { j=j+l ; i=i-l ; } 
d. 

e. if{ j > 500) 
f . 

A typical reachability problem is to find out a value of i such that statement f . is executed. Existing 
approaches for solving this reachability problem consider a path passing through f . , e.g., a-b-d-e-f , 
and try to solve the path condition attached to this path. In this case, it means extracting constraint 
j\ = 100 A j'l < A i\ > 500 and solving it to show that the constraint system is unsatisfiable, i.e., 
the corresponding path is infeasible. Then, these approaches backtrack to select another path (e.g., 
a-b-c-b-d-e-f with path condition ji = 100 A /i > OA72 = ji + 1 A/2 = /i - 1 A/2 < OA 72 > 500) 
and repeat the process again, until a satisfiable path condition is found. This example is pathologic for 
these approaches, as only the paths that iterate more than 400 times in the loop will reach statement 
f . . Hopefully, using the constraint operator w(^i , ^2 , -^3 J > 0,j = 7 + 1 A / = / — 1 ) permits us to 
unrool dynamically 400 times the loop without backtracking. The relational analysis performed on the 
Polyhedral abstract domain by the w operator determines that jout — im = 100 whatever be the number 
of loop unrollings. Here, combining precise constraint reasoning in the concrete domain, with constraint 
extrapolation through abstract domain computations, offers us an efficient way of solving reachability 
problems on infinite-state systems. 
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5 Conclusions 

In this paper, we have presented Constraint-Based Reachability as a process to combine constraint rea- 
soning and abstraction techniques for solving reachability problems in infinite-state systems. The con- 
tribution is two-fold: first, we have revisited constraint consistency-filtering techniques by the prism of 
abstract domain computations ; second, we explained how to introduce abstract domain computation 
within the w constraint operator reasoning. We have illustrated these notions with several examples in 
order to ease the understanding of the reader. 

This appraoch has been implemented and tested on several problems, including real- world programs 
|[T9ll20l . The goal is now to broader the scope of these techniques that combine constraint reasoning and 
abstraction techniques, to adress fundamental problems such as reachability in infinite-state systems. 
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Appendix 

This appendix contains the proofs of some of the results stated in the paper. 

Theorem 9 Let p be a filtering operator associated with constraint Ci, then p computes domain-consistency 

iffP = flare- 

Proof 1 (^) Let S\ = {fi o yarc){S)- From the definitions of fi and y, we get that S\ is the solution set of 
constraint Ci, given the initial domains S (we write Si = sol{ci,S)). Hence, S' = aarci^i) = (Ai, . . . ,A,„) 
with 

= {^k I ^ £ sol{ci,S)}. So, Ci computes domain-consistency. 
(^) Let p be a domain-consistency filtering operator. Suppose that there exists S such that p[S) = 
(Ai, . . . ,A„,) be strictly greater than ff^^^iS) = {B\,. . . ,B,„)- Then, there exists at least one k such as 
Ajt 2 ^k- Hence, there exists an element x^ of that does not belong to any solution of constraint Cj. 
Hence, p cannot computes domain-consistency which is contradictory with the hypothesis. On the other 
side, p cannot be smaller than ff^^^ as it means that the filtering operator removes solutions. Hence, if 
p computes domain-consistency then p = fj^,,.^. □ 

Theorem 10 If p is a filtering operator associated to constraint ct, then p computes bound-consistency 

^ff P f 'ijbound' 

Proof 2 From theorem^ given initial intervals /, the domains ff ^rc ° Jinteril) '^^^ domain-consistent 
for constraint Cj. Applying function (Xinter is similar to the process that keeps extremal values of each ele- 
ment of fj ^^^oYinjg^{I). Hence, the resulting intervals satisfy the bound-consistency property. 
C=^j (similar to the proof of theorem^ If the filtering operator p is greater than /^^^^wnrf' ^^^^ com- 
puted intervals contain at least one bound that is not part of a solution of a, violating so the bound- 
consistency property. On the contrary, by supposing that p is smaller than ff|y^^^^^^ then solutions are lost 
and p is no more a filtering operator Hence, if p is a filtering operator guaranteeing bound-consistency 
then p = ffj^^^^^^. □ 
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